MASTER’S THESIS
Johanna Orjatsalo 2020
LAPPEENRANTA-LAHTI UNIVERSITY OF TECHNOLOGY LUT SCHOOL OF BUSINESS AND MANAGEMENT
KNOWLEDGE MANAGEMENT AND LEADERSHIP
Johanna Orjatsalo
KNOWLEDGE CREATION IN CYBERSECURITY THREAT MODELING WORKSHOPS – CASE STUDY
Master’s thesis 2020
Examiners 1st examiner: Professor Kirsimarja Blomqvist
2nd examiner: Post-doctoral Researcher Argyro Almpanopoulou
ABSTRACT
Lappeenranta-Lahti University of Technology LUT School of Business and Management
Degree Programme in Knowledge Management and Leadership Johanna Orjatsalo
KNOWLEDGE CREATION IN CYBERSECURITY THREAT MODELING WORKSHOPS – CASE STUDY
Master’s Thesis 2020
137 pages, 20 figures, 4 tables and 5 appendices
Examiners 1st examiner: Professor Kirsimarja Blomqvist
2nd examiner: Post-doctoral Researcher Argyro Almpanopoulou Keywords knowledge, knowledge management, knowledge creation, social
capital, shared context, knowledge combination, knowledge exchange, SECI, cybersecurity, threat modeling, technology architecture, workshop
Understanding all the levels of the whole technology stack of an organizational entity, all its interfaces, and how it works in practice is often challenging. Still, organizations need to be capable to examine their digital operations from different angles whenever needed. To cope with the fact that they might not have adequate and up-to-date knowledge easily available, organizations have developed various approaches to pull together required knowledge of their digital operations for certain purposes.
This research focused on examining knowledge creation as part of one of those approaches, cybersecurity threat modeling workshops. The objective of this qualitative case study was to form an understanding about the enablers of knowledge creation during threat modeling, and especially how the nature of knowledge and different dimensions of social capital may impact knowledge creation in such context.
Research material consisted of three cases, each representing a threat modeling workshop having different scope and participants. Empirical data was gathered by observing the threat modeling workshops and interviewing the respective facilitators and owners for each case. Various knowledge management theories and concepts were used both for designing the research as well as reflecting the observations and findings.
The study identified several elements and aspects that were considered to impact knowledge creation both before and during threat modeling workshops, and which could be linked to the existing knowledge management theories and concepts.
Additionally, it produced some practical observations that can be used for developing threat modeling practices going forward.
TIIVISTELMÄ
Lappeenrannan-Lahden Teknillinen Yliopisto School of Business and Management
Tietojohtamisen ja johtajuuden koulutusohjelma Johanna Orjatsalo
KNOWLEDGE CREATION IN CYBERSECURITY THREAT MODELING WORKSHOPS – CASE STUDY
Pro gradu -tutkielma 2020
137 sivua, 20 kuvaa, 4 taulukkoa ja 5 liitettä
Tarkastajat 1. tarkastaja: Professori Kirsimarja Blomqvist 2. tarkastaja: Tutkijatohtori Argyro Almpanopoulou
Hakusanat tieto, tietojohtaminen, tiedon luominen, sosiaalinen pääoma, jaettu konteksti, tiedon yhdistäminen, tiedonvaihto, SECI-malli,
kyberturvallisuus, uhkamallinnus, teknologia-arkkitehtuuri, työpaja Organisaatioiden on usein haastavaa ymmärtää digitaalisten järjestelmiensä muodostamaa kokonaisuutta, sen rajapintoja sekä käytännön toimintaa. Tästä huolimatta niiden on pystyttävä tarkastelemaan digitaalisia toimintojaan eri näkökulmista aina tarpeen mukaan. Organisaatiot ovatkin kehittäneet erilaisia tapoja muodostaa tietoa erilaisista järjestelmäkokonaisuuksistaan myös niissä tilanteissa, joissa tämänkaltainen tieto ei välttämättä olisi valmiiksi saatavilla.
Tämän tutkimuksen tavoitteena oli tarkastella tiedon luomiseen vaikuttavia tekjöitä edellä mainitun kaltaisessa tilanteessa: kyberturvallisuuteen liittyvien uhkamallinnustyöpajojen yhteydessä. Tutkimus toteutettiin laadullisena tapaustutkimuksena, ja sen tavoitteena oli ymmärtää, mitkä tekijät edesauttavat tiedon luomista uhkamallinnuksen yhteydessä sekä erityisesti sitä, onko organisaation sosiaalisella pääomalla tai tiedon luonteella mahdollisesti vaikutusta tiedon luomiseen.
Tutkimusmateriaali koostui kolmesta eri uhkamallinnustyöpajasta, joista kukin käsitteli eri sisältöä eri osallistujien voimin. Empiirinen tutkimustieto kerättiin tarkkailemalla työpajojen kulkua sekä haastattelemalla kunkin työpajan ohjaajaa sekä omistajaa. Tietojohtamisen teorioita ja konsepteja käytetiin abduktiivisesti tutkimuksen eri vaiheissa.
Tutkimus auttoi tunnistamaan sekä työpajatyöskentelyyn että työpajoja edeltäneisiin valmisteluihin liittyviä, tiedon luomiseen vaikuttavia elementtejä ja näkökulmia sekä löytämään yhteyksiä näiden elementtien ja tietojohtamisen teorioiden ja konseptien välillä. Näiden tutkimuslöydösten lisäksi tutkimus tuotti muutamia käytännöllisiä huomioita uhkamallinnuskäytäntöjen kehittämiseksi.
ACKNOWLEDGEMENTS
Back in 2005, I wanted to learn more about how neural networks work and started studying Information and Service Management at Aalto University. Finalizing the studies and working full time proved to be somewhat challenging, and at the beginning of 2018 I decided that I would need to do something about this. And then I found LUT University’s program of Knowledge Management, TIJO <3
This Master’s thesis is a result of many iterations, and while nearly everything has been changed at least once during this process, now it is time to let go and leave it as it is. I would like to thank all the following for making this possible:
• All the case organization representatives who were involved in this study, for providing the opportunity to closely monitor their threat modeling work and for sharing their insights so openly
• Antti Vähä-Sipilä and Laura Noukka for the ideas, sparring, discussions, and all
• Professor Kirsimarja Blomqvist from LUT University for making her valuable experience available throughout the journey
• TIJO2018 for first-class 24/7 peer support
• Alma Mater x 2 aka LUT University for the past 2 years and Aalto University for the past n-2 years
• COVID19 for the interesting changes of plans
• Taxpayers of Finland for the financial support available through Finnish Employment Fund (aikuiskoulutustuki)
• My dear friends, especially Inna, for mental support And last but not least
• J, J & K for putting up with me and making sure I did not get too involved into this stuff (even though it was sometimes very very close)
22.7.2020
Johanna Orjatsalo
TABLE OF CONTENTS
1 INTRODUCTION ... 1
1.1 Background for the study ... 1
1.2 Research objectives and rationale ... 3
1.2.2 Key definitions... 5
1.2.3 Research questions ... 6
1.2.3 Research focus and theoretical scope ... 7
1.3 Research methodology and approach ... 9
1.4 Research structure ... 11
2 NATURE OF KNOWLEDGE ... 12
2.1 Characteristics of knowledge ... 12
2.1.1 Explicit/tacit dimension of knowledge ... 13
2.1.2 Individual/collective dimension of knowledge ... 15
2.1.3 Other categorizations of knowledge ... 16
2.1.4 Summary of different knowledge categorizations ... 20
2.2 Dynamic nature of knowledge ... 21
2.2.1 Nonaka’s SECI model ... 22
2.2.2 SECI model and knowing ... 25
2.3 Key observations regarding nature of knowledge ... 28
3 KNOWLEDGE CREATION ... 29
3.1 Knowledge creation in knowledge management frameworks ... 29
3.2 Elements of knowledge creation ... 31
3.2.1 Acquiring knowledge vs creating knowledge ... 34
3.2.2 Sharing knowledge to create knowledge ... 36
3.2.3 SECI model and knowledge creation ... 37
3.2.5 Enablers/prerequisites for knowledge creation ... 40
3.3 Summary of knowledge creation ... 42
4 SOCIAL CAPITAL AND KNOWLEDGE CREATION ... 42
4.1 Three dimensions of social capital ... 43
4.2 Impact of social capital to conditions of knowledge creation ... 45
4.2.1 Impact of structural dimension ... 47
4.2.2 Impact of relational dimension ... 48
4.2.3 Impact of cognitive dimension ... 49
4.3 Social capital, knowledge creation and shared context ... 50
4.3.1 Shared context and knowledge overlap ... 51
4.3.2 Shared context and knowledge assets ... 52
4.3.3 Shared context and “ba” ... 53
4.4 Summary of social capital and knowledge creation ... 55
5 RESEARCH CONTEXT, APPROACH, AND METHODOLOGY ... 56
5.1 Research context ... 58
5.2 Research approach and methodology ... 60
5.2.1 Research questions ... 60
5.2.2 Research methodology ... 61
5.2.3 Research approach ... 64
5.3 Data gathering approach and methods ... 65
5.3.1 Workshop observations ... 66
5.3.2 Semi-structured focus interviews ... 67
5.4 Data analysis and methods ... 68
5.5 Research reliability and validity ... 69
5.6 Case descriptions ... 72
5.6.1 Case 1 description ... 75
5.6.2 Case 2 description ... 79
5.6.3 Case 3 description ... 84
6. RESULTS AND KEY FINDINGS ... 89
6.1 Themed results ... 89
6.1.1 The role of documents and models ... 90
6.1.2 The role of workshop participants ... 94
6.1.3 The role of facilitation ... 98
6.1.4 The role of scope ... 103
6.2 Key findings ... 107
6.2.1 Knowledge creation ... 107
6.2.2 Social capital ... 111
6.2.3 Nature of knowledge ... 113
7 CONCLUSIONS ... 118
7.1 Knowledge creation in threat modeling workshops ... 119
7.2 Managerial implications... 126
7.3 Limitations and suggestions for further research ... 128
LITERATURE ... 131
APPENDIX 1. Pre-workshop interview structure ... 138
APPENDIX 2. Post-workshop interview structure ... 139
APPENDIX 3. Data flow diagrams ... 140
APPENDIX 4. STRIDE model for threat identification ... 141
APPENDIX 5. Documents created as part of the workshops ... 142
FIGURES
Figure 1. Research question, sub-questions and related research approach. ... 6
Figure 2. Research approach and structure. ... 11
Figure 3. SECI model for knowledge conversion ... 22
Figure 4. Spiral of organizational knowledge creation. ... 24
Figure 5. Adding knowing to knowledge. ... 27
Figure 6. Heisig’s GPO-WM -Framework, a three-layered model describing the focus areas of knowledge management ... 30
Figure 7. Alignment between three knowledge creation models. ... 38
Figure 8. “Ba” as a shared context in motion... 39
Figure 9. Social capital in the creation of intellectual capital. ... 46
Figure 10. Structure and approach for this study, including related theories and concepts. ... 57
Figure 11. Cybersecurity activities and the focus of this study.. ... 58
Figure 12. Research question, sub-questions and related research approach. .... 61
Figure 13. End-to-end research approach. ... 65
Figure 14. Timeline of interviews and workshops used for empirical research. .... 66
Figure 15. High-level approach for planning and conducting a threat modeling workshop. ... 72
Figure 16. Case 1 workshop phases and participant activity. ... 79
Figure 17. Case 2 workshop phases and participant activity. ... 83
Figure 18. Case 3 workshop phases and participant activity. ... 87
Figure 19. Themes and sub-themes emerging from empirical research material.. 90
Figure 20. Knowledge creation in threat modeling workshops. ... 125
TABLES Table 1. Knowledge management theories and concepts relevant to this study ... 9
Table 2. Summary of different categorizations of knowledge. ... 21
Table 3. Summary of articles reviewed for Chapter 3. ... 32
Table 4. Summary of the cases. ... 74
1 Introduction
Organizations are continuously developing their digital operations, and due to the high speed of this change, understanding all the levels of the whole technology stack of an organizational entity, all its interfaces, and how it works in practice has become challenging. Despite various models, methods and guidelines that have been developed for keeping track on the organization’s digital architecture, major share of such knowledge is often not directly available or usable when needed. (Babar &
Gorton 2007; Zimmermann et al. 2012; Schoenfield 2015; Capilla et al. 2016). To cope with the fact that they might not have the adequate knowledge easily available, organizations have developed various approaches to form an understanding of their digital operations for specific purposes whenever needed. This study looks at knowledge creation as part of one of those approaches, cybersecurity threat modeling.
1.1 Background for the study
Knowledge related to organization’s digital and enterprise architecture is important for managing, developing, and improving its operations but also when evaluating and mitigating the potential risks. Similarly to physical operations, the risks of failure for digital operations are connected to those situations in which the system or its components do not contribute as intended, or in which there is a possibility that they can be altered to contribute in a different way than what was originally intended. The concept of “cybersecurity” can be seen as a combination of various activities that aim at securing different types of digital structures and objects (such as data, processes or devices) to prevent damage that can occur if these structures do not function as intended. These activities need to be in line with the constantly evolving digital architecture and the continuous interaction between various actors reforming this knowledge, as well as the continuously emerging and developing cybersecurity threat landscape. (Shostack 2014; Schoenfield 2015).
Organizations can apply various cybersecurity approaches and methods, aiming at either preventing the cybersecurity incidents from happening or minimizing the damage caused by them. End-to-end cybersecurity management approach is often considered to consist of four different categories of activities: 1) identify/predict the
risks/threats, 2) prevent them from happening by improving cybersecurity levels (defense), 3) detect possible threats/attacks/breaches, and 4) respond with fixes and further improvements. (Gartner 2017; National Institute of Standards and Technology (NIST) 2018).
From knowledge management point-of-view, cybersecurity activities have traditionally been considered as a mean of protecting the organization’s intellectual capital and operations, which according to the Knowledge-Based View of the firm are the most important assets for the organization. Hence, it has been considered as a moderator of the organization’s value creation process and knowledge management activities rather than one of those capabilities that would create competitive advantage. (Gold et al. 2001; Sallos et al. 2019)
Knowledge management literature includes several examples of research work that applies knowledge management related frameworks and concepts in value creating activities, such as innovation management, business ecosystems management or general management (Handzig 2017). It has been only recently that knowledge management has been brought up as a research field that could bring significant enhancement also into cybersecurity planning and management (Tisdale 2015).
The examples include, e.g., evaluating possibilities to store and reuse cybersecurity related knowledge (Souag et al. 2016) or using knowledge management toolset to facilitate cybersecurity related knowledge creation (e.g., Kalogeraki et al. 2018).
Cybersecurity provides an interesting research context for knowledge management researchers for two reasons. First, even though the organizations would have a rather well-managed knowledge repository from architectural point of view, it alone does not serve the purpose of assessing or improving their security. Vast majority of the security issues emerge as a combination of several factors, and many of them also involve interaction of some kind, either between the systems or their components, between material and human actors, or even between humans alone.
In cybersecurity planning and management, it is therefore typical that forming an understanding of threats for a certain part of a system requires exchanging and combining information and knowledge between different sources. (Schoenfield 2015)
Second, having adequate knowledge of digital operations and related risks, threats and vulnerabilities is not enough. To plan and manage its cybersecurity activities, an organization also needs to understand how to identify, prioritize and apply activities based on this knowledge. The dynamic and context-specific nature of (technology-related) knowledge in organizations creates challenges for identifying and applying adequate cybersecurity activities but also for managing the cybersecurity knowledge itself. In their article published at the end of 2019, Sallos et al. have defined cybersecurity management primarily as a knowledge problem, describing this problem as “knowledge about lack of cybersecurity knowledge within the boundaries of organization” (Sallos et al. 2019, 592). This lack of knowledge originates from the overall complexity and scattered nature of architectural knowledge within organizations, but also from the aspect that cybersecurity related knowledge is a specific area of knowledge, which is not that common within organizations in any format (Tisdale 2015; Sallos et al. 2019).
Cybersecurity risk management approaches, methodologies and frameworks provide an opportunity for organizations to understand, analyze and prioritize the risks attached to their digital structures and support them in creating mitigation plans. This study focuses on threat modeling, which is part of predictive cybersecurity activities. The objective of threat modeling is to increase the understanding what kind of threats can put a certain system and its operability under risk. The organization then uses this knowledge to decide their approach regarding the identified threats. (Shostack 2014; Schoenfield 2015; Gartner 2017, National Institute of Standards and Technology (NIST), 2018). Threat modeling can be done in numerous ways, and for this study, the research focus will be on three individual threat modeling workshops.
1.2 Research objectives and rationale
The main objective of this study is to understand the enablers of knowledge creation in the context of threat modeling workshops, and especially how the nature of knowledge and different dimensions of social capital may impact knowledge creation in such context.
As the study also serves as a Master’s thesis, it also has a secondary objective of providing the researcher with an opportunity to learn how knowledge management
research approaches knowledge creation. Depending on the relevancy of the research findings, the work can also provide new, practical ideas for developing threat modeling workshops and related practices from knowledge management perspective.
According to knowledge management researchers, knowledge is created through continuous interaction amongst human actors as well as between human and non- human actors (such as the physical environment). Knowledge is not the same as information; instead of being the same for everyone, it is subject to various individual-level meanings through interpretations made by everyone involved in the related interaction. To enable knowledge creation, knowledge needs to be shared/transferred; both knowledge combination and knowledge exchange are thereby crucial activities for knowledge creation. Knowledge-related interaction takes place even without intentional facilitation. However, it can be enhanced with intentional activities, such as improving the conditions for knowledge combination and exchange (Nonaka 1994; Spender 1996; Nahapiet & Ghoshal 1998; Cook &
Brown 1999; Nonaka et al. 2000; Fong 2003).
When discussing the characteristics of cybersecurity related knowledge in organizations, the high speed of technological development and its impacts on the dynamic, uncertain, and context-specific nature of knowledge must be highlighted (Sallos et al. 2019). As discussed earlier in this chapter, knowledge needed for planning and managing cybersecurity related activities is often scattered and not easily available, and organizations typically need to involve stakeholders from different teams within an organization as well as from other organizations, such as third party vendors, in order to ensure they have access to adequate knowledge.
(Schoenfield 2015; Tisdale 2015).
Cybersecurity threat modeling workshops are an excellent case example of intentionally facilitated knowledge creation within cybersecurity context. The scope for threat modeling (for example a system, a connection, a change, or a feature) is agreed prior to the workshop. During the actual workshop, the participants need to form a common understanding of the area included in the scope, and then work together on identifying the potential threats based on this knowledge. Having such a joint objective facilitates knowledge creation, and there are also various tools,
methods and guidelines that are being used to support this. (Shostack 2014, Schoenfield 2015)
1.2.2 Key definitions
This study discusses various definitions, many of which are explained as they are first introduced. However, there are a few key definitions which help defining the overall scope of the study.
Cybersecurity consists of activities to protect different types of digital structures and objects (such as data, processes, devices), to prevent damage that can occur if these structures do not function as intended. (Schoenfield 2015).
Knowledge is something we use for evaluating and incorporating new experiences and information. Creating and applying it requires human activity, and it consists of a mix of “framed experience, values, contextual information and expert insight”. In organizations, it exists in several formats, such as documents but also as organizational processes, routines and practices. (Davenport and Prusak 1998, 5).
Knowledge exchange means mutual sharing of knowledge between at least two actors, and it is a prerequisite for knowledge combination (Nahapiet & Ghoshal 1998, 248).
Knowledge combination involves creating new knowledge either through combining elements previously unconnected or by developing novel ways of combining elements previously associated (Nahapiet & Ghoshal 1998, 248).
Knowledge creation means renewing one’s existing context and knowledge through the continuous interaction with others, either other individuals or environment (Nonaka et al. 2000, 8). Knowledge is created through exchange and combination (Nahapiet & Ghoshal 1998, 248).
Social capital is formed by those resources that are included in or can be reached via the relationships of an individual or organization (social unit) to other individuals or organizations. (Nahapiet & Ghoshal 1998, 243).
Threat modeling is based on using abstractions to help understand what kind of threats can put organization’s digital operations under risk (Shostack 2014, xxiii).
1.2.3 Research questions
The main research question and its sub-questions are formed directly based on the research objective. The main research question is:
A. What enables knowledge creation in cybersecurity threat modeling workshops?
Addressing this question requires answering to the following sub-questions:
B. What is knowledge creation and how does it take place?
C. How do the different characteristics of knowledge impact knowledge creation?
D. How do the different aspects of social capital impact knowledge creation?
E. Which elements of knowledge creation can be identified in cybersecurity threat modeling workshops?
Figure 1. Research question, sub-questions and related research approach.
Figure 1 describes the connection between research questions and research approach. A theoretical research in the form of literature review is used for forming an understanding of knowledge creation (sub-question B) as well as the potential elements impacting knowledge creation (sub-questions C & D). Additionally, an empirical research is conducted to identify the potential elements of knowledge creation in threat modeling workshops (sub-question E), and to answer the main
research question on what enables knowledge creation in threat modeling workshops (question A).
1.2.3 Research focus and theoretical scope
This study assumes that both the fast pace of digitalization and the dynamic and context-driven nature of knowledge create additional challenges for planning and managing cybersecurity activities. Consequently, this creates a need for organizations to intentionally facilitate their knowledge creation to be able to plan and manage their cybersecurity-related activities. This assumption emerges from both the personal experiences of the researcher, as well as from cybersecurity related literature (Shostack 2014; Schoenfield 2015; Tisdale 2015; Sallos et al.
2019) and the research objective is strongly based on this assumption.
Knowledge management has always had strong connections to other sciences, such as library (and information management), computer (and information systems), cognitive and organizational sciences, and is also used as a methodology or tool on many of these fields. Some of the recent knowledge management research work indicates that knowledge management is shifting into a direction where it would experience a fusion with other disciplines. (Handzig 2017). As a Master’s thesis, the secondary objective of this study is to learn about knowledge management theories and concepts, and for this purpose, the focus is on basic-level knowledge management theories and concepts, mostly excluding the potential further knowledge management research that has been done with a focus on for example the field of computer/information systems.
Earl (2001, 218) sees that knowledge management research has been conducted from three different positions: 1) technocratic school focuses on how information or management technologies support knowledge work, 2) economic school is interested in how knowledge and intellectual capital contribute to revenue generation, whereas 3) behavioral school examines how managers and management can facilitate knowledge creation, sharing and usage. Handzig (2017) has further categorized knowledge management research being related to three contexts: 1) knowledge enablers (“social and technical factors in enabling and facilitating knowledge processes”), 2) knowledge processes (“processes through
which knowledge is moved and modified”), and 3) knowledge stocks (“knowledge is seen as a valuable organizational asset”, bringing together “different perspectives of knowledge”).
In terms of the three knowledge management schools identified by Earl (2001), this study represents the behavioral school as it focuses on how knowledge creation takes place as a human interaction, and as part of this, examines the elements facilitating knowledge creation. As the research focus is strongly on the enablers of knowledge creation, this study does not describe knowledge creation as a process taking place during threat modeling workshops, nor provides a detailed narrative on how individual workshop participants contribute to knowledge creation activities.
Regarding knowledge enablers facilitating knowledge creation, the theoretical focus is more on social than technical factors enabling and facilitating knowledge creation.
As knowledge creation is based on a combination and exchange of (existing) knowledge, also the nature of knowledge is examined as part of potential enablers and as a contextual factor. (Nonaka 1994; Nahapiet & Ghoshal 1998; Cook & Brown 1999; Nonaka et al. 2000).
Knowledge management theories and concepts relevant to this study are described in Table 1. Regarding the three research contexts defined by Handzig (2017), the analysis will include elements of all three: knowledge enablers, knowledge processes and knowledge stocks. From the process and stocks perspectives, the research is based on the viewpoint of knowledge being dynamic and context- specific, rather than looking at it as stock of knowledge or knowledge base (Nonaka 1994; Nonaka & Takeuchi 1995; Cook & Brown 1999; Nonaka et al 2000; Takeuchi
& Nonaka 2002; Nonaka & Von Krogh 2009). It also considers knowledge being situated in organizations and individuals in many forms (Nonaka 1994; Blackler 1995; Spender 1996; Teece 1998; Cook & Brown 1999; Nonaka et al. 2000).
This study also adapts a dynamic view on knowledge creation, hence, it considers knowledge creation to take place as a continuous spiral rather than a linear process, or even a continuous state of “knowing”, due to the dynamic and context-specific nature of knowledge (Nonaka 1994; Blackler 1995; Cook & Brown 1999; Nonaka et al. 2000; Alavi & Leidner 2001; Fong 2003; Pinho et al. 2012). Regarding
knowledge enablers, especially the role of social capital, its three dimensions and the four conditions of knowledge creation are discussed (Nahapiet & Ghoshal 1998).
The theory of social capital role in knowledge creation is also compared with the role of shared context in knowledge creation (Nonaka 1994; Blackler 1995; Grant 1996; Nahapiet & Ghoshal 1998; Nonaka et al. 2000; Fong 2003).
Table 1. Knowledge management theories and concepts relevant to this study.
1.3 Research methodology and approach
The main objective of this study was to understand how knowledge creation takes place in threat modeling workshops, and how the nature of knowledge and different dimensions of social capital may impact knowledge creation in such context. The research was based on knowledge management theories and concepts, and it was conducted as a qualitative case study. Abductive reasoning logic was used as the analysis logic throughout the research. (Dubois & Gadde 2002; Blatter 2012;
Timmermans & Tavory 2012). Empirical research material was gathered from three threat modeling workshops and analyzed as multiple case study. (Yin 2017).
The research assumptions described in section 1.2.3 acted as the basis for the abductive research design, in which the theoretical and empirical material was analyzed simultaneously. First, a literature review was conducted to identify initial answers to three of the sub-questions and to anticipate potential structure and methods for empirical data gathering. For this purpose, the theories of knowledge creation, nature of knowledge and social capital were examined (see Figure 2).
Initial findings from the literature review were then used to create an initial understanding of the theoretical base describing knowledge creation and its enablers.
Based on the initial theoretical base, the structure for the empirical research approach was designed with the objective of gathering data to answer the fourth sub-question: E. Which elements of knowledge creation can be identified in cybersecurity threat modeling workshops?
Empirical data was gathered from three cases (cybersecurity threat modeling workshops) as a qualitative inquiry. Primary research data was gathered through non-participant observations during the workshops as well as by conducting semi- structured interviews of workshop facilitator and owner before and after each workshop. Workshop presentations and documentation were used as secondary data to complement primary research data.
Data analysis started during data gathering and transcription by comparing the theories examined for literature review with the empirical observations. The actual data analysis was done after data gathering, and it included classifying the data and identifying potential connections between the observations and the potential set of theories and concepts. The outcomes of this comparison were used for enriching the set of theories and concepts discussed in literature review. Finally, the findings emerging from the data and their theoretical and conceptual linkages were used as the basis for the research discussion and conclusions. Research approach and structure are summarized in Figure 2.
Figure 2. Research approach and structure.
1.4 Research structure
Research structure follows the previously introduced research approach (Figure 2).
Chapter 2 starts with a short introduction to knowledge management and then proceeds to describing the characteristics and nature of knowledge. After the introduction to knowledge and its nature, Chapter 3 approaches knowledge creation from the viewpoint of knowledge management frameworks and provides a view on the potential elements of knowledge creation based on earlier literature. Chapter 4 examines social capital and its impact on knowledge creation, together with the role of shared context.
Empirical research context, approach, and methodology, together with the three cases analyzed in this research are introduced in Chapter 5, and the results and key findings from the case analysis are then presented in Chapter 6. Chapter 7 concludes the research findings, also discussing some managerial implications, research limitations and suggestions for further research.
2 Nature of knowledge
Even though knowledge management as a field of science has existed for over 30 years, there is no universal and common definition for either knowledge or knowledge management (Heisig 2009, 13; Handzig 2017, 7). In their popular book
“Working knowledge” (according to Researchgate.net, the book had been cited 8004 times by March 26, 2020), Davenport and Prusak define knowledge as something people use for evaluating and incorporating new experiences and information. They state that it consists of a mix of “framed experience, values, contextual information and expert insight”, and that creating and applying it requires human activity. In organizations, knowledge exists in the form of for example documents but also as organizational processes, routines, and practices.
(Davenport and Prusak 1998, 5).
In knowledge management literature, knowledge is often described to be constantly evolving and dynamic rather than static and unchanged. Knowledge can only exist when it is given a context, making it highly dependent on time and space. This means that knowledge at one moment in time within a certain context is not the same as at some other moment and in some other context. Knowledge is created in the interaction between different actors (either human actors or between human and non-human actors) and it continuously forms through the interpretations made by individuals. Knowledge accumulates and changes within these interactions.
(Spender 1996, 47; Cook & Brown 1999; Nonaka et al. 2000, 7).
Understanding how (and to what extent) knowledge can be managed also requires understanding the knowledge itself. The nature of knowledge has also been widely examined and various categorizations have been created based on its different characteristics. Next, some of these categorizations and characteristics are discussed to form an understanding on how knowledge can be viewed.
2.1 Characteristics of knowledge
Knowledge exists in organizations in many forms, and the different categories and characteristics of knowledge described in knowledge management literature can be considered as reflections of its dynamic and context-specific nature. Organizational capability of knowledge creation varies between organizations and is not dependent
on the static “stock of knowledge” (Nonaka et al. 2000, 6) but understanding the various characteristics of knowledge in organizations may still help identifying possibilities for facilitating knowledge creation, especially when it comes to strategically meaningful knowledge assets (Teece 1998, 63).
Knowledge is most often categorized into the categories of tacit (implicit) and explicit knowledge, as well as individual and collective knowledge (Heisig 2009, 8). These form two dimensions, explicit/tacit and individual/collective, and are often referred to as the four most relevant categories of knowledge (Kogut & Zander 1992;
Nahapiet & Ghoshal 1998; Nonaka et al. 2000). Nahapiet & Ghoshal also suggest that all intellectual capital of an organization can be described through these four categories (1998, 246-247).
The explicit/tacit dimension of knowledge is often referred to as the “epistemological dimension”, as it discusses the essence of knowledge, whereas the individual/collective dimension is known as the “ontological dimension”, as it concerns the structural and relational view of knowledge (Nonaka 1994, Lam 2000).
Next section will describe each of these four “main” categories (two dimensions) and how they have been discussed in knowledge management literature.
2.1.1 Explicit/tacit dimension of knowledge
Explicit (also sometimes codified) knowledge has been described as “knowing about” (Grant 1996, 111) or “knowing what something means” (Kogut & Zander 1992, 386). What is common to these definitions is that when in explicit format, knowledge is codified and easy to be transferred. It can exist in both physical or digital format, such as blueprints, formulas, or computer code. (Kogut & Zander 1992; Nonaka 1994, 16; Grant 1996; Teece 1998, 63; Nonaka et al, 2000, 8). If not put in a context, explicit knowledge can be practically considered as “information”
(Nonaka 1994, 16; Nonaka et al, 2000, 8).
Tacit knowledge (also sometimes implicit) is usually defined as “knowing how”
(Grant 1996, 111; Teece 1998, 63) or “know-how, knowing how to do something”
(Kogut & Zander 1992, 386). It is seen to be based on personal intuition and the observation that people cannot express all that they know (Polanyi 1958/1962;
Teece 1998, 63). As it is in implicit format, it is not easily transferrable (Grant 1996,
111; Teece 1998, 63). Master-apprentice co-operation or simply other face-to-face interaction (mainly with physical dimension) is mentioned to be a suitable approach for transferring tacit knowledge, as this setup includes the possibility to “show in practice” and to have clarifying discussions that support sensemaking and learning (Nonaka 1994, 18-20; Teece 1998, 63-64).
Explicit and tacit categories are continuously interacting with each other. Explicit knowledge is used and applied with the help of tacit knowledge (for example in making decisions), and tacit knowledge is (to the extent that is possible) expressed through action within organizations. Knowledge evolves through interaction between these categories. (Nonaka 1994, 18-20; Spender 1996, 50; Nonaka et al.
2000, 8).
What distinguishes explicit and tacit categories of knowledge is not always self- evident in knowledge management literature. The characteristics connected with tacit knowledge vary from underlying knowledge that cannot be articulated, expressed, or observed, to tacit or implicit knowledge that can be expressed and observed through interaction (Polanyi 1958/1962; Nonaka 1994). For explicit knowledge, characteristics such as transferability and materiality are used, and it is always considered as tangible (Kogut & Zander 1992; Nonaka 1994, 16; Grant 1996; Teece 1998, 63; Nonaka et al, 2000, 8).
The difference between definitions of explicit knowledge, which is tangible and transferable, and information, which can be stored as it is in explicit format, has also been challenged. For example Rowley (2007, 178), based on an extensive literature review of textbooks in the fields of knowledge revolution, information systems and knowledge management, argues that “The distinction between definitions of information as data processed to be meaningful, valuable and appropriate for a specific purpose, and definitions of knowledge and ‘actionable information’ overlap and need further investigation. If knowledge is a property of the human mind, with the potential for action, explicit knowledge cannot be any more or less than information”.
Rowley’s arguments are based on the observation that information is always modified or structured through human action. However, even though the human
action would have impacted on how information has been formed, this viewpoint does not consider the human action linked to using the information. Whereas tacit knowledge is embedded within individuals, it also has a role in converting information into explicit knowledge, as it is steering the individual’s process of interpreting the information. Information without human interpretation is purely information. It is only the human interaction that transforms information into knowledge and in this sense, knowledge can never be considered as an object.
(Nonaka 1994; Grundstein 2013).
2.1.2 Individual/collective dimension of knowledge
Knowledge is also often categorized into individual knowledge and collective (or social/organizational/group) knowledge (Heisig 2009, 8). In principle, these knowledge categories can be described rather simply: individual knowledge is the knowledge possessed and practiced by the individual, whereas collective knowledge can be seen to be the knowledge possessed and practiced by a group (Nonaka 1994, 17; Cook & Brown, 1999).
Individual knowledge can exist in both explicit and tacit format. When in explicit format, it consists of facts, concepts and frameworks and can easily be stored and retrieved (Spender 1996, 50-51). Tacit individual knowledge can be in many forms, and it is visible for example when people exercise their skills (such as riding a bike).
(Polanyi 1958/1962; Spender 1996, 50-51). As it is in tacit format, sharing it properly is difficult (Nonaka 1994, 16).
Collective knowledge (also sometimes group/social knowledge) can also be identified in both explicit and tacit format. Collective explicit (objectified, codified) knowledge is something that the organization tends to find extremely useful, as it can be shared and leveraged rather easily throughout the whole organization.
Collective tacit knowledge is based on experience, and it is visible in organizational interaction, such as routines. This tacit “shared body of knowledge” can be considered as the most secure and strategically significant form of knowledge.
(Spender 1996, 50-52; Nonaka & Von Krogh 2009, 636).
“Collective” as a term appears in various formats in knowledge management literature. Some researchers (e.g., Nonaka et al. 2000) use the word “collective” to
describe a group-level knowledge-related interaction as the other dimension of individual-level knowledge-related interaction. This kind of social interaction takes place “beyond individuals” and it can happen across boundaries (Nonaka 1994, 17).
Some other researchers (e.g., Spender 1996) use “collective” to describe group- level tacit knowledge, whereas knowledge in groups is simply “group knowledge”.
Kogut & Zander (1992) also make a distinction between collective knowledge on the levels of a group, an organization, or a network. In this study, the term “collective”
knowledge is used as the other dimension together with “individual” knowledge, including both collective explicit and collective tacit knowledge (Nonaka 1994).
The four categories of explicit, tacit, individual and collective knowledge are often described as “four main categories of knowledge”. However, many researchers also describe the relationships between these categories of knowledge as somewhat dynamic and fluid, as knowledge continuously evolves (Cook & Brown 1999;
Nonaka et al. 2000; Nonaka & Von Krogh 2009). Besides the four main categories, knowledge has also been categorized based on some of its other characteristics.
Next section discusses these categorizations and how they describe the nature of knowledge.
2.1.3 Other categorizations of knowledge
In organizational context, knowledge can also be looked at from other “dimensions”
or categories than explicit-tacit and individual-collective. This section introduces five other categorizations described in knowledge management literature:
1) Positive/negative knowledge (Teece 1998); 2) Knowledge that is observable/non- observable-in-use (Teece 1998); 3) Systemic/componential knowledge (Spender 1996); 4) Autonomous/systematic knowledge (Teece 1998), and 5) Embrained/
embodied/encultured/embedded/encoded knowledge (Blackler 1995). What makes each of these categorizations interesting from the viewpoint of this study is that they discuss such aspects of knowledge that are not directly covered by the four main categories described in the previous section.
Positive/Negative knowledge
As one of the additional knowledge categorizations, Teece (1998, 64) mentions a categorization into positive and negative knowledge. Positive knowledge is the
knowledge linked to such discoveries that may for example lead to innovations or business success, and organizations tend to willingly share this knowledge.
Negative knowledge, however, is linked to threats and failures rather than successes, and not that often highlighted within organizations. Organization’s capability development would still benefit from sharing both the opportunity-related, positive knowledge and threat- and failure-related, negative knowledge (such as areas of potential risks and vulnerabilities) as both aspects support new knowledge creation. (Teece, 1998, 64)
Negative knowledge and especially the potential cognitive biases leading to the challenges of identifying and sharing negative knowledge have been widely researched and discussed, and the underlying reasons for these challenges from both individual and organizational perspectives have been examined. Based on these findings, individuals have tendencies of ignoring negative knowledge for various reasons (Parviainen & Eriksson 2006; Dunning 2011), and organizational cultures impact on collective willingness of sharing negative knowledge (Serenko &
Bontis 2016).
Knowledge that is observable/non-observable in use
Teece (1998, 64) also mentions that knowledge can be categorized as observable or non-observable when in use. As an example of observable knowledge, they mention that many technological devices, such as scanners, printers or microprocessors include knowledge that can be “reverse engineered” when the actual device is available. On the other hand, they see that process technology is largely non-observable when in use, or at least more difficult to be captured. (Teece 1998, 64).
This perspective can be considered to include the assumption of human interaction needed to form knowledge (discussed in the previous section), as it simply states that there is “knowledge” embedded into material objects, and that the existence of this knowledge requires it to be recognized by a human, independent of its observability, before any conclusions can be made out of this “knowledge”. How Teece (1998, 64) explains this is that not knowing how a certain object (such as a machine) has been built by first observing how it operates and then making
assumptions on its construction can be one source of knowledge, but finding out how it is constructed would significantly increase this knowledge. Even though some of the technologies (such as computer code) do include capability for performing
“individual actions”, this kind of action is not considered as action related to knowledge, as it does not include human activity (Robey et al. 2013, 385).
Systemic/componential knowledge
Spender (1996) brings up another categorization of knowledge: systemic knowledge vs. componential knowledge. Componential knowledge means those private- knowledge types of components that – if viewed separately – may appear disparate and incommensurate but when involved in interaction with other components are forming a system, and a basis for systemic knowledge. For example, skills of an individual can become part of organizational routines (“institutionalized”), and thereby become part of systemic knowledge. Systemic knowledge, on its behalf, is an understanding of how the entity works, and for example simulations are often used as a tool used for gaining this kind of understanding. (Spender 1996, 58).
Autonomous/systematic knowledge
Teece (1998, 64) also approaches knowledge from componential vs. systematic perspective but with a slightly different intention. They mention that a single component or an object itself can be a source for either autonomous or systematic knowledge. When a component is changed or replaced, it may or may not impact the rest of the system. In a case of autonomous knowledge, there is no impact but when the knowledge contained by the component is systematic, the changes will also require changes elsewhere in the system. (Teece 1998, 64).
Embrained/embodied/encultured/embedded/encoded knowledge
Looking at knowledge in organizations from a holistic perspective, Blackler (1995) has summarized the knowledge types in five categories that they mention to be based on initial categories first suggested by Collins in 1993. First of these categories, embrained knowledge, is individual and tacit, and originates from using conceptual skills and cognitive abilities. It is largely linked to the concept of learning and the ability to understand connections between knowledge originating from various sources. When knowledge is embodied, it has been constructed through
physical experience obtained through interaction between individuals or for example between an individual person and technology, and it can be in both explicit and tacit format. Encultured knowledge, on its behalf, involves social transformation of knowledge, leading to shared understandings (and knowledge being collective instead of individual); Blackler also compares encultured knowledge with Nonaka’s views on how knowledge is created as a “process of achieving shared understandings”. Embedded knowledge lies within the organization’s collective systems and routines, and it is manifested through relationships between people but also within the non-human elements of the organization (such as technological systems). Finally, Blackler mentions the encoded knowledge that includes the documented knowledge, symbols, and signs in both physical and electronical (digital) format and that is in explicit format. (Blackler 1995, 1023-1026, 1033).
Blackler also states that there is a relationship between the embodied knowledge expressed via action-oriented skills and the encoded knowledge, which in the case of computer systems can be seen to either complement or replace these action- oriented skills when these systems conduct certain actions on behalf of people (1995, 1031-1032). This is also linked to the observable/non-observable knowledge mentioned by Teece (1998, 64) who says that activities conducted by technology may not be fully observable and understandable, especially if the people trying to analyze these activities cannot obtain knowledge on how the technology itself has been constructed. On the other hand, considering Rowley’s (2007) observations on information requiring human interpretation to become knowledge, it can be argued that any knowledge embedded into computer-based systems, including for example automated processes or machine learning algorithms, is not actually knowledge but rather a reflection of human activities based on knowledge.
A distinct field of organizational and information systems research has been emerged around the socio-technical and sociomaterial aspects of knowledge and learning. This research aims at understanding the interaction between human and non-human (material) actors, suggesting that socio-technical aspects or sociomateriality should be considered in all organizational research, as these actors are continuously interacting and impacting each other. These fields of research also consider that knowledge is based social interaction, and they mostly maintain the
distinction between the material and social worlds based on this assumption, meaning that they do not consider material objects as such to “contain” knowledge.
(Orlikowski 2007; Leonardi & Barley 2008; Robey et al. 2013).
2.1.4 Summary of different knowledge categorizations
In addition to the various categories of knowledge listed in the previous sections, there are many other categorizations available in knowledge management literature and many other ways to look at the different characteristics of knowledge. To further explain the characteristics of knowledge, a summary of the categories described in this chapter can be found in Table 2. The table also shows the connection between the other categories and the four main categories (Nonaka 1994) when explicitly mentioned by the author.
Knowledge is embodied into the whole organization and its elements, such as production equipment and information systems, as these are designed and built using knowledge, and the patterns taking place between the people, technologies and techniques are unique for each organization (Grant 1996, 112; Bhatt 2001, 70).
However, these material objects cannot be considered as knowledge unless human interaction and interpretations are involved. (Teece 1998; Robey et al. 2013).
As Nonaka et al (2000, 8) state: “Knowledge creation means renewing one’s existing context and knowledge through the continuous interaction with others, either other individuals or environment.” This means knowledge is impacted by and affects everything on an ongoing basis. While this section builds an initial background for understanding the multifaceted nature of knowledge, next section will explain how dynamic nature of knowledge has been approached in knowledge management literature.
Table 2. Summary of different categorizations of knowledge.
2.2 Dynamic nature of knowledge
Even though suggestions have been made by some researchers on combining various characteristics and categorizations of knowledge into even more simplified frameworks (e.g., Lam 2000), many researchers consider that there are challenges in making such simplifications. For example Nonaka (1994) highlights the continuous interaction between different four categories of knowledge, and Blackler (1995, 1032) emphasizes that their five categories of knowledge cannot be viewed as separate from one another, as knowledge is “multifaceted and complex”.
Regarding the four main categories of knowledge, explicit, tacit, individual, and
collective, it is widely agreed that continuous evolvement of knowledge takes place between these dimensions (Kogut & Zander 1992; Spender 1996; Cook & Brown 1999, Nonaka et al 2000).
One of the most popular approaches to presenting knowledge interaction between the epistemological and ontological dimensions is Nonaka’s “knowledge spiral”
(Nonaka 1991/2007; Nonaka 1994, 18-20; Nonaka et al. 2000, Nonaka & Von Krogh 2009). Next section will explain this approach, called the SECI process/model, and the following section will address how it has been impacting some of the other pursuits of understanding knowledge.
2.2.1 Nonaka’s SECI model
SECI model, first introduced by Nonaka in 1990’s, is based on the idea that understanding knowledge conversion and knowledge creation starts by recognizing that the four categories of knowledge are mutually complementary, and that it is often not possible to make a clear distinction between the explicit and tacit categories of knowledge (Nonaka & Von Krogh 2009, 638). Knowledge conversion involves all types of knowledge assets within an organization (Nonaka 1994;
Nonaka et al. 2000; Nonaka & Von Krogh 2009, 643). The dynamic conversion of knowledge takes place continuously between explicit and tacit knowledge in the form of an endless spiral. (Nonaka 1991/2007; Nonaka 1994, 18-20; Nonaka &
Takeuchi 1995; Nonaka et al 2000; Takeuchi & Nonaka 2002; Nonaka & Von Krogh 2009; see also Figure 3).
Figure 3. SECI model for knowledge conversion (Nonaka et al. 2000, 9-12).
Socialization Externalization
Internalization Combination Tacit
Explicit
Explicit
Tacit
Because knowledge evolves as an endless spiral, the process cannot be described as a traditional “process” (input-function-output). Instead, the spiral utilizes inputs all the time and as a result, knowledge continuously evolves. The spiral itself takes the knowledge through four different modes: Socialization, Externalization, Combination, and Internalization, first letters of which form the name of the model,
“SECI”. The elements of the SECI model all have an important role in the evolution of knowledge. (Nonaka et al. 2000, 12).
Socialization means evolving tacit knowledge through shared experience that enables understanding of the thinking processes of knowledge creation participants.
This assumes interaction between individuals and does not necessarily include any articulated (explicit) knowledge such as language or even physical motion/gestures.
(Nonaka 1994; Nonaka et al. 2000)
Externalization happens when the expressible elements of tacit knowledge are materializing towards explicit knowledge. Tacit knowledge is needed for articulation so that knowledge can become explicit and transferrable. This happens through various social processes of sharing and transferring knowledge. (Nonaka 1994;
Grant 1996; Teece 1998; Nonaka et al. 2000). According to Nonaka & Von Krogh, knowledge always contains a “capacity to act” and as explicit knowledge always
“lags behind” from what the organization and individuals possess in the form of tacit knowledge, externalization is also needed to improve explicit knowledge (2009, 642- 643).
Combination requires reconfiguring existing explicit knowledge; these activities of
“sorting, adding, recategorizing and recontextualizing explicit knowledge can lead to new knowledge” (Nonaka 1994, 19). Combined knowledge may manifest for example in the form of a concept, blueprint or decision (Takeuchi & Nonaka 2002).
Internalization of knowledge has been described by Nonaka & Von Krogh as an
“individual, psychological process” (2009, 642), and it means that knowledge becomes part of an individual’s tacit knowledge “in a form of shared mental models or technical know-how” (Nonaka et al. 2000, 10). Internalized knowledge is thereby
“embodied” (Nonaka et al. 2000).
SECI process is not a linear process, and all four main categories of knowledge (explicit, tacit, individual, and collective) continue to exist and evolve throughout the spiral of knowledge conversion. Due to its dynamic nature, knowledge accumulates and changes continuously, and cannot be reviewed as static. (Nonaka 1994;
Nonaka et al. 2000; Takeuchi & Nonaka 2002).
Knowledge conversion taking place through SECI process is at the core of knowledge creation, and knowledge creation becomes organizational level knowledge creation, when all its four modes are “organizationally” managed as a continuum. This assumes what Nonaka calls “triggers”: these are organizational activities, such as forming a team (to promote socialization), facilitating a dialogue (to support externalization), creating concepts (for combination purposes), or experimenting with new solutions (leading to internalization of knowledge). When tacit knowledge in individuals is “mobilized” through this spiral, the knowledge converted through the four modes eventually becomes collective on group, organizational or even interorganizational level. The phenomenon of organizational knowledge creation is described in Figure 4. (Nonaka 1994, 20)
Figure 4. Spiral of organizational knowledge creation (Nonaka 1994, 20).
Nonaka, together with Takeuchi further emphasize that knowledge is most useful in its explicit format, as this enables it to be leveraged also by the rest of the
organization or by a wider audience. They see that socialization and combination are mainly related to intra-organizational knowledge (or what they call “sympathetic”
knowledge), while conceptualization (taking place as part of externalization) helps leverage the created knowledge to wider audience. (Takeuchi & Nonaka 2002, 156- 158)
Nonaka has been developing their work on the SECI model throughout the years, and whereas the first versions discussed mainly knowledge creation to take place in the minds of individuals or between two or more individuals in human-to-human interaction (Nonaka 1991/2007, Nonaka 1994), the later publications discuss knowledge creation as social interaction between individuals or individuals and their environment (Nonaka et al. 2000; Nonaka & Von Krogh 2009).
2.2.2 SECI model and knowing
Some potential issues that have been raised regarding the SECI process/model include the somewhat conceptual basis of knowledge conversion (especially the nature and essence of tacit and explicit dimensions of knowledge, such as how to differentiate extremely explicit knowledge and pure information/data) as well as the potential outcomes of knowledge conversion. Nonaka, together with Von Krogh, discuss this critique and – regarding the first issue – state that explicit/tacit categorization is indeed a conceptual one and mainly used for modeling a phenomenon of knowledge conversion that in reality would be much more complex.
Regarding the latter issue, they admit that the nature of outcomes from knowledge conversion have not been discussed enough, and that more research is needed.
(Nonaka & Von Krogh 2009).
What comes to the outcomes of knowledge conversion, both Blackler (1995) as well as Cook & Brown (1998) consider that Nonaka keeps the possession and conversion of knowledge separate from practicing of knowledge, and thereby also separates knowledge conversion from the concept of learning (which also happens through practice, including social practice). With this, they refer to the outcomes of knowledge conversion, declaring that “practicing knowledge” is an integral part of the overall knowledge creation process. Cook & Brown specifically point out that SECI model does not clearly state any action of “knowing”, even though it is both deriving from as well as contributing to the continuously evolving body of knowledge
on both the individual and collective levels. This knowing, together with tacit knowledge, is essential for all practice, also for applying explicit knowledge. (Cook
& Brown 1999, 394).
Blackler (1995), approaches the potential concern of “mixing” knowledge and learning with the help of activity theory. They see that, besides the socially constructed understanding that is described as learning, also knowledge (deriving from body of knowledge) is actively present in organizational activity systems in the form of “knowing”, and is also impacting social interaction. They explain that this is a natural way to maintain the perceived distinction between knowledge and learning without ignoring the relationship between knowledge and action. Blackler describes knowing as a phenomenon that is 1) mediated, as it is continuously manifested in language, technology, collaboration and control; 2) situated, as it can be considered to be located “in time and space and specific to particular contexts”; 3) provisional, as it is both constructed and evolving; 4) pragmatic, as it has a purpose and object, and 5) contested, as it is not evenly distributed and it requires effort (Blackler 1995, 1039).
Building on SECI model of knowledge conversion (Nonaka 1994), Cook & Brown (1999) propose that the four main categories of knowledge should be used from conceptual perspective, as each of these types of knowledge, when applied in practice, have a unique functionality. They also state that the two dimensions/four categories are most suitable for describing the knowledge that is possessed (as body of knowledge) and thereby rather static, hence these dimensions can be seen to describe an “epistemology of possession”. On the other hand, when knowledge becomes part of action, it becomes knowing – a phenomenon they describe as
“dynamic, concrete and relational”. This is what they call “epistemology of practice”, as it involves action and especially interaction between the body of knowledge and the situational context. (Cook & Brown 1999, 383-388, see also Figure 5).
Cook & Brown further explain that knowing, or epistemology of practice, is involved in situations where knowledge is either used in action or where knowledge is part of action. Explicit knowledge could be simplified as “knowing what” and tacit knowledge as “knowing how”, and the role of explicit knowledge in those situations would be to help gaining the tacit knowledge (e.g., one knows “in theory” and applies
this knowledge in practice) and the role of tacit knowledge is to help gain explicit knowledge (by doing something, one gains knowledge they can also explicitly express). This action also creates new knowledge. (Cook & Brown 1999).
Figure 5. Adding knowing to knowledge (adapted from Cook & Brown 1999, 393).
While Nonaka’s earlier work (e.g., Nonaka 1994; Nonaka et al. 2000) highlights the role of tacit knowledge in knowledge conversion, Nonaka & Von Krogh also align with the views of Cook & Brown (1999) when they admit that it is not always the tacit knowledge/knowing alone that generates action, and that also explicit knowledge may inspire action on individual or collective level. They also admit that the original organizational knowledge creation theory and the knowledge conversion model do not discuss the role of social practices and action, as this viewpoint has been developing only after the knowledge conversion theory was first introduced. To explain the conceptual differences between the theory of organizational knowledge creation and the theories of knowing and social practices, Nonaka & Von Krogh remind that the goal of the first one is to discuss how new knowledge in the organization is created, whereas the latter strives to explain “how organizations conserve tacit knowledge through social practices”. (Nonaka & Von Krogh 2009, 645-646).
The constructive discussion between different researchers has aided in forming an understanding of what knowledge is, and especially how it exists. SECI model and
